21574865257

Committed 02 Feb 2026 02:06AM UTC coverage: 90.943% (+83.3%) from 7.646%

Build # 21574865257

Build Type

push

github

Committed by

jacob-hartmann

Commit Message

Refactor test assertions in attachment and comment tools to improve clarity and consistency. Remove unnecessary binding of mock client methods, enhancing readability and maintainability of test cases. Update .gitignore to exclude package.json for cleaner project structure.

Run Details

835 of 929 branches covered (89.88%)

Branch coverage included in aggregate %.

1615 of 1765 relevant lines covered (91.5%)

14.52 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

63.51

/src/server/http-server.ts

/**
 * HTTP Server for MCP
 *
 * Creates an Express-based HTTP server with:
 * - OAuth authorization server endpoints (via mcpAuthRouter)
 * - OAuth callback from Quire
 * - Protected MCP endpoint with Bearer auth
 * - StreamableHTTP transport
 * - Security hardening (helmet, rate limiting, CORS, cache control)
 */

import { randomUUID } from "node:crypto";
import express from "express";
import helmet from "helmet";
import rateLimit from "express-rate-limit";
import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";

import type { HttpServerConfig } from "./config.js";
import {
  QuireProxyOAuthProvider,
  handleQuireOAuthCallback,
} from "./quire-oauth-provider.js";
import { getServerTokenStore } from "./server-token-store.js";
import { isCorsAllowedPath } from "./cors.js";
import {
  SESSION_ID_DISPLAY_LENGTH,
  JSONRPC_ERROR_INVALID_REQUEST,
  JSONRPC_ERROR_INTERNAL,
} from "../constants.js";
import { escapeHtml } from "../utils/html.js";
import { LRUCache } from "../utils/lru-cache.js";

// ---------------------------------------------------------------------------
// Constants
// ---------------------------------------------------------------------------

/** Token cleanup interval in milliseconds (5 minutes) */
const TOKEN_CLEANUP_INTERVAL_MS = 5 * 60 * 1000;

/** Session idle timeout in milliseconds (30 minutes) */
const SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1000;

/** Rate limit: max requests per window */
const RATE_LIMIT_MAX = 100;

/** Rate limit window in milliseconds (1 minute) */
const RATE_LIMIT_WINDOW_MS = 60 * 1000;

/** Maximum number of concurrent sessions to prevent memory exhaustion */
const MAX_SESSIONS = 1000;

// ---------------------------------------------------------------------------
// HTTP Server
// ---------------------------------------------------------------------------

/** Track session last activity for idle timeout */
interface SessionInfo {
  transport: StreamableHTTPServerTransport;
  lastActivity: number;
}

/**
 * Start the HTTP server with OAuth and MCP endpoints.
 */
export async function startHttpServer(
  getServer: () => McpServer,
  config: HttpServerConfig
): Promise<void> {
  const { host, port, issuerUrl } = config;

  // Create OAuth provider
  const provider = new QuireProxyOAuthProvider(config);

  // Create Express app with DNS rebinding protection
  const app = createMcpExpressApp({ host });

  // Security headers via helmet
  app.use(
    helmet({
      // Disable contentSecurityPolicy as MCP uses JSON-RPC
      contentSecurityPolicy: false,
      // Keep other security headers
      crossOriginEmbedderPolicy: false,
    })
  );

  // Rate limiting for OAuth and MCP endpoints
  const limiter = rateLimit({
    windowMs: RATE_LIMIT_WINDOW_MS,
    max: RATE_LIMIT_MAX,
    standardHeaders: true,
    legacyHeaders: false,
    message: { error: "Too many requests, please try again later" },
  });

  // Apply rate limiting to sensitive endpoints
  app.use("/oauth", limiter);
  app.use("/mcp", limiter);

  // CORS middleware - allow OAuth endpoints, restrict MCP endpoint
  app.use((req, res, next) => {
    const origin = req.headers.origin;
    if (!origin) {
      next();
      return;
    }

    // Allow CORS for OAuth discovery and flow endpoints
    // mcpAuthRouter mounts at root: /authorize, /token, /register
    // Our custom callback is at /oauth/callback
    const isAllowed = isCorsAllowedPath(req.path);

    if (isAllowed) {
      res.setHeader("Access-Control-Allow-Origin", origin);
      res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
      res.setHeader(
        "Access-Control-Allow-Headers",
        "Content-Type, Authorization"
      );
      res.setHeader("Access-Control-Max-Age", "86400");

      // Handle preflight
      if (req.method === "OPTIONS") {
        res.status(204).end();
        return;
      }

      next();
      return;
    }

    // Block cross-origin requests to /mcp endpoint
    res.status(403).json({ error: "Cross-origin requests not allowed" });
    return;
  });

  // Cache-Control headers for OAuth and MCP endpoints
  const noCacheMiddleware: express.RequestHandler = (_req, res, next) => {
    res.setHeader(
      "Cache-Control",
      "no-store, no-cache, must-revalidate, private"
    );
    res.setHeader("Pragma", "no-cache");
    res.setHeader("Expires", "0");
    next();
  };

  // Apply no-cache to all OAuth endpoints (both root-level and /oauth/*)
  app.use("/oauth", noCacheMiddleware);
  app.use("/mcp", noCacheMiddleware);
  app.use("/authorize", noCacheMiddleware);
  app.use("/token", noCacheMiddleware);
  app.use("/register", noCacheMiddleware);
  app.use("/.well-known", noCacheMiddleware);

  // Parse JSON bodies
  app.use(express.json());

  // Mount OAuth auth router (AS metadata, authorize, token, register endpoints)
  app.use(
    mcpAuthRouter({
      provider,
      issuerUrl: new URL(issuerUrl),
      scopesSupported: ["read:user"],
      resourceName: "Quire MCP Server",
    })
  );

  // Handle OAuth callback from Quire
  app.get("/oauth/callback", async (req, res) => {
    const { code, state, error, error_description } = req.query;

    // Handle error from Quire
    if (error) {
      const errorMsg = typeof error === "string" ? error : "Unknown error";
      const errorDesc =
        typeof error_description === "string" ? error_description : errorMsg;
      console.error(`[quire-mcp] Quire OAuth error: ${errorMsg}`);
      res.status(400).send(`
        <!DOCTYPE html>
        <html>
        <head><title>Authorization Failed</title></head>
        <body>
          <h1>Authorization Failed</h1>
          <p>${escapeHtml(errorDesc)}</p>
          <p>You can close this window.</p>
        </body>
        </html>
      `);
      return;
    }

    // Validate params
    if (typeof code !== "string" || typeof state !== "string") {
      res.status(400).send(`
        <!DOCTYPE html>
        <html>
        <head><title>Invalid Request</title></head>
        <body>
          <h1>Invalid Request</h1>
          <p>Missing code or state parameter.</p>
        </body>
        </html>
      `);
      return;
    }

    // Process callback
    const result = await handleQuireOAuthCallback(
      config,
      getServerTokenStore(),
      code,
      state
    );

    if ("error" in result) {
      res.status(400).send(`
        <!DOCTYPE html>
        <html>
        <head><title>Authorization Failed</title></head>
        <body>
          <h1>Authorization Failed</h1>
          <p>${escapeHtml(result.errorDescription)}</p>
          <p>You can close this window.</p>
        </body>
        </html>
      `);
      return;
    }

    res.redirect(result.redirectUrl);
  });

  // Create session-to-transport map for stateful connections with activity tracking
  // Uses LRU cache to prevent memory exhaustion from spam attacks
  const sessions = new LRUCache<SessionInfo>({
    maxSize: MAX_SESSIONS,
    onEvict: (sessionId, session) => {
      console.error(
        `[quire-mcp] Evicting session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)} (max sessions reached)`
      );
      try {
        session.transport.close().catch((err: unknown) => {
          console.error(
            `[quire-mcp] Error closing evicted session:`,
            err instanceof Error ? err.message : err
          );
        });
      } catch {
        // Ignore close errors on eviction
      }
    },
  });

  // Get resource metadata URL for WWW-Authenticate header
  const resourceMetadataUrl = `${issuerUrl}/.well-known/oauth-protected-resource`;

  // Helper to update session activity
  const touchSession = (sessionId: string): void => {
    const session = sessions.get(sessionId);
    if (session) {
      session.lastActivity = Date.now();
      // Re-set to update LRU order
      sessions.set(sessionId, session);
    }
  };

  // Helper to clean up a session
  const cleanupSession = (sessionId: string): void => {
    const session = sessions.get(sessionId);
    if (session) {
      try {
        session.transport.close().catch((err: unknown) => {
          console.error(
            `[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
            err instanceof Error ? err.message : err
          );
        });
      } catch (err) {
        console.error(
          `[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
          err instanceof Error ? err.message : err
        );
      }
      sessions.delete(sessionId);
    }
  };

  // MCP POST handler
  const mcpPostHandler: express.RequestHandler = async (req, res) => {
    const sessionId = req.headers["mcp-session-id"] as string | undefined;

    try {
      let transport: StreamableHTTPServerTransport;

      const existingSession = sessionId ? sessions.get(sessionId) : undefined;
      if (sessionId && existingSession) {
        // Reuse existing transport and update activity
        transport = existingSession.transport;
        touchSession(sessionId);
      } else if (!sessionId && isInitializeRequest(req.body)) {
        // New initialization request
        transport = new StreamableHTTPServerTransport({
          sessionIdGenerator: () => randomUUID(),
          onsessioninitialized: (sid) => {
            sessions.set(sid, {
              transport,
              lastActivity: Date.now(),
            });
          },
        });

        // Clean up on close
        transport.onclose = () => {
          const sid = transport.sessionId;
          if (sid && sessions.has(sid)) {
            sessions.delete(sid);
          }
        };

        // Connect transport to a new server instance
        // Cast required due to exactOptionalPropertyTypes incompatibility with SDK
        const server = getServer();
        await server.connect(transport as unknown as Transport);
        await transport.handleRequest(req, res, req.body);
        return;
      } else {
        // Invalid request
        res.status(400).json({
          jsonrpc: "2.0",
          error: {
            code: JSONRPC_ERROR_INVALID_REQUEST,
            message: "Bad Request: No valid session ID provided",
          },
          id: null,
        });
        return;
      }

      await transport.handleRequest(req, res, req.body);
    } catch (error) {
      console.error("[quire-mcp] Error handling MCP request:", error);
      if (!res.headersSent) {
        res.status(500).json({
          jsonrpc: "2.0",
          error: {
            code: JSONRPC_ERROR_INTERNAL,
            message: "Internal server error",
          },
          id: null,
        });
      }
    }
  };

  // MCP GET handler (SSE streams)
  const mcpGetHandler: express.RequestHandler = async (req, res) => {
    const sessionId = req.headers["mcp-session-id"] as string | undefined;

    const session = sessionId ? sessions.get(sessionId) : undefined;
    if (!sessionId || !session) {
      res.status(400).json({
        jsonrpc: "2.0",
        error: {
          code: JSONRPC_ERROR_INVALID_REQUEST,
          message: "Invalid or missing session ID",
        },
        id: null,
      });
      return;
    }

    touchSession(sessionId);
    await session.transport.handleRequest(req, res);
  };

  // MCP DELETE handler (session termination)
  const mcpDeleteHandler: express.RequestHandler = async (req, res) => {
    const sessionId = req.headers["mcp-session-id"] as string | undefined;
    const session = sessionId ? sessions.get(sessionId) : undefined;

    if (!sessionId || !session) {
      res.status(400).json({
        jsonrpc: "2.0",
        error: {
          code: JSONRPC_ERROR_INVALID_REQUEST,
          message: "Invalid or missing session ID",
        },
        id: null,
      });
      return;
    }

    try {
      await session.transport.handleRequest(req, res);
    } catch (error) {
      console.error("[quire-mcp] Error handling session termination:", error);
      if (!res.headersSent) {
        res.status(500).json({
          jsonrpc: "2.0",
          error: {
            code: JSONRPC_ERROR_INTERNAL,
            message: "Error processing session termination",
          },
          id: null,
        });
      }
    }
  };

  // Set up routes with Bearer auth middleware
  const authMiddleware = requireBearerAuth({
    verifier: provider,
    resourceMetadataUrl,
  });

  app.post("/mcp", authMiddleware, mcpPostHandler);
  app.get("/mcp", authMiddleware, mcpGetHandler);
  app.delete("/mcp", authMiddleware, mcpDeleteHandler);

  // Start automatic token cleanup interval
  const tokenStore = getServerTokenStore();
  const cleanupInterval = setInterval(() => {
    tokenStore.cleanup();

    // Also clean up idle sessions
    const now = Date.now();
    for (const [sessionId, session] of sessions.entries()) {
      if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {
        console.error(
          `[quire-mcp] Closing idle session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}...`
        );
        cleanupSession(sessionId);
      }
    }
  }, TOKEN_CLEANUP_INTERVAL_MS);

  // Don't keep the process alive just for cleanup
  cleanupInterval.unref();

  // Start listening
  await new Promise<void>((resolve, reject) => {
    const server = app.listen(port, host, () => {
      console.error(`[quire-mcp] HTTP server listening on ${host}:${port}`);
      console.error(
        `[quire-mcp] OAuth metadata: ${issuerUrl}/.well-known/oauth-authorization-server`
      );
      console.error(`[quire-mcp] MCP endpoint: ${issuerUrl}/mcp`);
      resolve();
    });

    server.on("error", reject);

    // Graceful shutdown handler
    const shutdown = (signal: string): void => {
      console.error(
        `[quire-mcp] Received ${signal}, shutting down gracefully...`
      );

      // Stop accepting new connections
      server.close(() => {
        console.error("[quire-mcp] HTTP server closed");
      });

      // Clear the cleanup interval
      clearInterval(cleanupInterval);

      // Close all active sessions
      console.error(
        `[quire-mcp] Closing ${sessions.size} active session(s)...`
      );
      for (const [sessionId, session] of sessions.entries()) {
        try {
          session.transport.close().catch((err: unknown) => {
            console.error(
              `[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
              err instanceof Error ? err.message : err
            );
          });
        } catch {
          // Ignore close errors during shutdown
        }
      }
      sessions.clear();

      // Give connections time to close gracefully, then force exit
      setTimeout(() => {
        console.error("[quire-mcp] Shutdown complete");
        process.exit(0);
      }, 5000);
    };

    // Handle termination signals
    process.on("SIGINT", () => {
      shutdown("SIGINT");
    });
    process.on("SIGTERM", () => {
      shutdown("SIGTERM");
    });
  });
}

1	/**
2	* HTTP Server for MCP
3	*
4	* Creates an Express-based HTTP server with:
5	* - OAuth authorization server endpoints (via mcpAuthRouter)
6	* - OAuth callback from Quire
7	* - Protected MCP endpoint with Bearer auth
8	* - StreamableHTTP transport
9	* - Security hardening (helmet, rate limiting, CORS, cache control)
10	*/
11
12	import { randomUUID } from "node:crypto";
13	import express from "express";
14	import helmet from "helmet";
15	import rateLimit from "express-rate-limit";
16	import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
17	import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
18	import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
19	import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
20	import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
21	import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
22	import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
23
24	import type { HttpServerConfig } from "./config.js";
25	import {
26	QuireProxyOAuthProvider,
27	handleQuireOAuthCallback,
28	} from "./quire-oauth-provider.js";
29	import { getServerTokenStore } from "./server-token-store.js";
30	import { isCorsAllowedPath } from "./cors.js";
31	import {
32	SESSION_ID_DISPLAY_LENGTH,
33	JSONRPC_ERROR_INVALID_REQUEST,
34	JSONRPC_ERROR_INTERNAL,
35	} from "../constants.js";
36	import { escapeHtml } from "../utils/html.js";
37	import { LRUCache } from "../utils/lru-cache.js";
38
39	// ---------------------------------------------------------------------------
40	// Constants
41	// ---------------------------------------------------------------------------
42
43	/** Token cleanup interval in milliseconds (5 minutes) */
44	const TOKEN_CLEANUP_INTERVAL_MS = 5 * 60 * 1000;	2✔
45
46	/** Session idle timeout in milliseconds (30 minutes) */
47	const SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1000;	2✔
48
49	/** Rate limit: max requests per window */
50	const RATE_LIMIT_MAX = 100;	2✔
51
52	/** Rate limit window in milliseconds (1 minute) */
53	const RATE_LIMIT_WINDOW_MS = 60 * 1000;	2✔
54
55	/** Maximum number of concurrent sessions to prevent memory exhaustion */
56	const MAX_SESSIONS = 1000;	2✔
57
58	// ---------------------------------------------------------------------------
59	// HTTP Server
60	// ---------------------------------------------------------------------------
61
62	/** Track session last activity for idle timeout */
63	interface SessionInfo {
64	transport: StreamableHTTPServerTransport;
65	lastActivity: number;
66	}
67
68	/**
69	* Start the HTTP server with OAuth and MCP endpoints.
70	*/
71	export async function startHttpServer(
72	getServer: () => McpServer,
73	config: HttpServerConfig
74	): Promise<void> {
75	const { host, port, issuerUrl } = config;	21✔
76
77	// Create OAuth provider
78	const provider = new QuireProxyOAuthProvider(config);	21✔
79
80	// Create Express app with DNS rebinding protection
81	const app = createMcpExpressApp({ host });	21✔
82
83	// Security headers via helmet
84	app.use(	21✔
85	helmet({
86	// Disable contentSecurityPolicy as MCP uses JSON-RPC
87	contentSecurityPolicy: false,
88	// Keep other security headers
89	crossOriginEmbedderPolicy: false,
90	})
91	);
92
93	// Rate limiting for OAuth and MCP endpoints
94	const limiter = rateLimit({	21✔
95	windowMs: RATE_LIMIT_WINDOW_MS,
96	max: RATE_LIMIT_MAX,
97	standardHeaders: true,
98	legacyHeaders: false,
99	message: { error: "Too many requests, please try again later" },
100	});
101
102	// Apply rate limiting to sensitive endpoints
103	app.use("/oauth", limiter);	21✔
104	app.use("/mcp", limiter);	21✔
105
106	// CORS middleware - allow OAuth endpoints, restrict MCP endpoint
107	app.use((req, res, next) => {	21✔
108	const origin = req.headers.origin;	4✔
109	if (!origin) {	4✔
110	next();	1✔
111	return;	1✔
112	}
113
114	// Allow CORS for OAuth discovery and flow endpoints
115	// mcpAuthRouter mounts at root: /authorize, /token, /register
116	// Our custom callback is at /oauth/callback
117	const isAllowed = isCorsAllowedPath(req.path);	3✔
118
119	if (isAllowed) {	3✔
120	res.setHeader("Access-Control-Allow-Origin", origin);	2✔
121	res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");	2✔
122	res.setHeader(	2✔
123	"Access-Control-Allow-Headers",
124	"Content-Type, Authorization"
125	);
126	res.setHeader("Access-Control-Max-Age", "86400");	2✔
127
128	// Handle preflight
129	if (req.method === "OPTIONS") {	2✔
130	res.status(204).end();	1✔
131	return;	1✔
132	}
133
134	next();	1✔
135	return;	1✔
136	}
137
138	// Block cross-origin requests to /mcp endpoint
139	res.status(403).json({ error: "Cross-origin requests not allowed" });	1✔
140	return;	1✔
141	});
142
143	// Cache-Control headers for OAuth and MCP endpoints
144	const noCacheMiddleware: express.RequestHandler = (_req, res, next) => {	21✔
145	res.setHeader(	1✔
146	"Cache-Control",
147	"no-store, no-cache, must-revalidate, private"
148	);
149	res.setHeader("Pragma", "no-cache");	1✔
150	res.setHeader("Expires", "0");	1✔
151	next();	1✔
152	};
153
154	// Apply no-cache to all OAuth endpoints (both root-level and /oauth/*)
155	app.use("/oauth", noCacheMiddleware);	21✔
156	app.use("/mcp", noCacheMiddleware);	21✔
157	app.use("/authorize", noCacheMiddleware);	21✔
158	app.use("/token", noCacheMiddleware);	21✔
159	app.use("/register", noCacheMiddleware);	21✔
160	app.use("/.well-known", noCacheMiddleware);	21✔
161
162	// Parse JSON bodies
163	app.use(express.json());	21✔
164
165	// Mount OAuth auth router (AS metadata, authorize, token, register endpoints)
166	app.use(	21✔
167	mcpAuthRouter({
168	provider,
169	issuerUrl: new URL(issuerUrl),
170	scopesSupported: ["read:user"],
171	resourceName: "Quire MCP Server",
172	})
173	);
174
175	// Handle OAuth callback from Quire
176	app.get("/oauth/callback", async (req, res) => {	21✔
177	const { code, state, error, error_description } = req.query;	6✔
178
179	// Handle error from Quire
180	if (error) {	6✔
181	const errorMsg = typeof error === "string" ? error : "Unknown error";	3!
182	const errorDesc =
183	typeof error_description === "string" ? error_description : errorMsg;	3✔
184	console.error(`[quire-mcp] Quire OAuth error: ${errorMsg}`);	3✔
185	res.status(400).send(`	3✔
186	<!DOCTYPE html>
187	<html>
188	<head><title>Authorization Failed</title></head>
189	<body>
190	<h1>Authorization Failed</h1>
191	<p>${escapeHtml(errorDesc)}</p>
192	<p>You can close this window.</p>
193	</body>
194	</html>
195	`);
196	return;	3✔
197	}
198
199	// Validate params
200	if (typeof code !== "string" \|\| typeof state !== "string") {	3✔
201	res.status(400).send(`	1✔
202	<!DOCTYPE html>
203	<html>
204	<head><title>Invalid Request</title></head>
205	<body>
206	<h1>Invalid Request</h1>
207	<p>Missing code or state parameter.</p>
208	</body>
209	</html>
210	`);
211	return;	1✔
212	}
213
214	// Process callback
215	const result = await handleQuireOAuthCallback(	2✔
216	config,
217	getServerTokenStore(),
218	code,
219	state
220	);
221
222	if ("error" in result) {	2✔
223	res.status(400).send(`	1✔
224	<!DOCTYPE html>
225	<html>
226	<head><title>Authorization Failed</title></head>
227	<body>
228	<h1>Authorization Failed</h1>
229	<p>${escapeHtml(result.errorDescription)}</p>
230	<p>You can close this window.</p>
231	</body>
232	</html>
233	`);
234	return;	1✔
235	}
236
237	res.redirect(result.redirectUrl);	1✔
238	});
239
240	// Create session-to-transport map for stateful connections with activity tracking
241	// Uses LRU cache to prevent memory exhaustion from spam attacks
242	const sessions = new LRUCache<SessionInfo>({	21✔
243	maxSize: MAX_SESSIONS,
244	onEvict: (sessionId, session) => {
245	console.error(	×
246	`[quire-mcp] Evicting session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)} (max sessions reached)`
247	);
248	try {	×
249	session.transport.close().catch((err: unknown) => {	×
250	console.error(	×
251	`[quire-mcp] Error closing evicted session:`,
252	err instanceof Error ? err.message : err	×
253	);
254	});
255	} catch {
256	// Ignore close errors on eviction
257	}
258	},
259	});
260
261	// Get resource metadata URL for WWW-Authenticate header
262	const resourceMetadataUrl = `${issuerUrl}/.well-known/oauth-protected-resource`;	21✔
263
264	// Helper to update session activity
265	const touchSession = (sessionId: string): void => {	21✔
266	const session = sessions.get(sessionId);	×
267	if (session) {	×
268	session.lastActivity = Date.now();	×
269	// Re-set to update LRU order
270	sessions.set(sessionId, session);	×
271	}
272	};
273
274	// Helper to clean up a session
275	const cleanupSession = (sessionId: string): void => {	21✔
276	const session = sessions.get(sessionId);	×
277	if (session) {	×
278	try {	×
279	session.transport.close().catch((err: unknown) => {	×
280	console.error(	×
281	`[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
282	err instanceof Error ? err.message : err	×
283	);
284	});
285	} catch (err) {
286	console.error(	×
287	`[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
288	err instanceof Error ? err.message : err	×
289	);
290	}
291	sessions.delete(sessionId);	×
292	}
293	};
294
295	// MCP POST handler
296	const mcpPostHandler: express.RequestHandler = async (req, res) => {	21✔
297	const sessionId = req.headers["mcp-session-id"] as string \| undefined;	2✔
298
299	try {	2✔
300	let transport: StreamableHTTPServerTransport;
301
302	const existingSession = sessionId ? sessions.get(sessionId) : undefined;	2!
303	if (sessionId && existingSession) {	2!
304	// Reuse existing transport and update activity
305	transport = existingSession.transport;	×
306	touchSession(sessionId);	×
307	} else if (!sessionId && isInitializeRequest(req.body)) {	2✔
308	// New initialization request
309	transport = new StreamableHTTPServerTransport({	1✔
310	sessionIdGenerator: () => randomUUID(),	×
311	onsessioninitialized: (sid) => {
312	sessions.set(sid, {	×
313	transport,
314	lastActivity: Date.now(),
315	});
316	},
317	});
318
319	// Clean up on close
320	transport.onclose = () => {	1✔
321	const sid = transport.sessionId;	×
322	if (sid && sessions.has(sid)) {	×
323	sessions.delete(sid);	×
324	}
325	};
326
327	// Connect transport to a new server instance
328	// Cast required due to exactOptionalPropertyTypes incompatibility with SDK
329	const server = getServer();	1✔
330	await server.connect(transport as unknown as Transport);	1✔
331	await transport.handleRequest(req, res, req.body);	1✔
332	return;	×
333	} else {
334	// Invalid request
335	res.status(400).json({	1✔
336	jsonrpc: "2.0",
337	error: {
338	code: JSONRPC_ERROR_INVALID_REQUEST,
339	message: "Bad Request: No valid session ID provided",
340	},
341	id: null,
342	});
343	return;	1✔
344	}
345
346	await transport.handleRequest(req, res, req.body);	×
347	} catch (error) {
348	console.error("[quire-mcp] Error handling MCP request:", error);	1✔
349	if (!res.headersSent) {	1!
350	res.status(500).json({	1✔
351	jsonrpc: "2.0",
352	error: {
353	code: JSONRPC_ERROR_INTERNAL,
354	message: "Internal server error",
355	},
356	id: null,
357	});
358	}
359	}
360	};
361
362	// MCP GET handler (SSE streams)
363	const mcpGetHandler: express.RequestHandler = async (req, res) => {	21✔
364	const sessionId = req.headers["mcp-session-id"] as string \| undefined;	2✔
365
366	const session = sessionId ? sessions.get(sessionId) : undefined;	2✔
367	if (!sessionId \|\| !session) {	2!
368	res.status(400).json({	2✔
369	jsonrpc: "2.0",
370	error: {
371	code: JSONRPC_ERROR_INVALID_REQUEST,
372	message: "Invalid or missing session ID",
373	},
374	id: null,
375	});
376	return;	2✔
377	}
378
379	touchSession(sessionId);	×
380	await session.transport.handleRequest(req, res);	×
381	};
382
383	// MCP DELETE handler (session termination)
384	const mcpDeleteHandler: express.RequestHandler = async (req, res) => {	21✔
385	const sessionId = req.headers["mcp-session-id"] as string \| undefined;	1✔
386	const session = sessionId ? sessions.get(sessionId) : undefined;	1!
387
388	if (!sessionId \|\| !session) {	1!
389	res.status(400).json({	1✔
390	jsonrpc: "2.0",
391	error: {
392	code: JSONRPC_ERROR_INVALID_REQUEST,
393	message: "Invalid or missing session ID",
394	},
395	id: null,
396	});
397	return;	1✔
398	}
399
400	try {	×
401	await session.transport.handleRequest(req, res);	×
402	} catch (error) {
403	console.error("[quire-mcp] Error handling session termination:", error);	×
404	if (!res.headersSent) {	×
405	res.status(500).json({	×
406	jsonrpc: "2.0",
407	error: {
408	code: JSONRPC_ERROR_INTERNAL,
409	message: "Error processing session termination",
410	},
411	id: null,
412	});
413	}
414	}
415	};
416
417	// Set up routes with Bearer auth middleware
418	const authMiddleware = requireBearerAuth({	21✔
419	verifier: provider,
420	resourceMetadataUrl,
421	});
422
423	app.post("/mcp", authMiddleware, mcpPostHandler);	21✔
424	app.get("/mcp", authMiddleware, mcpGetHandler);	21✔
425	app.delete("/mcp", authMiddleware, mcpDeleteHandler);	21✔
426
427	// Start automatic token cleanup interval
428	const tokenStore = getServerTokenStore();	21✔
429	const cleanupInterval = setInterval(() => {	21✔
430	tokenStore.cleanup();	×
431
432	// Also clean up idle sessions
433	const now = Date.now();	×
434	for (const [sessionId, session] of sessions.entries()) {	×
435	if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {	×
436	console.error(	×
437	`[quire-mcp] Closing idle session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}...`
438	);
439	cleanupSession(sessionId);	×
440	}
441	}
442	}, TOKEN_CLEANUP_INTERVAL_MS);
443
444	// Don't keep the process alive just for cleanup
445	cleanupInterval.unref();	21✔
446
447	// Start listening
448	await new Promise<void>((resolve, reject) => {	21✔
449	const server = app.listen(port, host, () => {	21✔
450	console.error(`[quire-mcp] HTTP server listening on ${host}:${port}`);	21✔
451	console.error(	21✔
452	`[quire-mcp] OAuth metadata: ${issuerUrl}/.well-known/oauth-authorization-server`
453	);
454	console.error(`[quire-mcp] MCP endpoint: ${issuerUrl}/mcp`);	21✔
455	resolve();	21✔
456	});
457
458	server.on("error", reject);	21✔
459
460	// Graceful shutdown handler
461	const shutdown = (signal: string): void => {	21✔
462	console.error(	×
463	`[quire-mcp] Received ${signal}, shutting down gracefully...`
464	);
465
466	// Stop accepting new connections
467	server.close(() => {	×
468	console.error("[quire-mcp] HTTP server closed");	×
469	});
470
471	// Clear the cleanup interval
472	clearInterval(cleanupInterval);	×
473
474	// Close all active sessions
475	console.error(	×
476	`[quire-mcp] Closing ${sessions.size} active session(s)...`
477	);
478	for (const [sessionId, session] of sessions.entries()) {	×
479	try {	×
480	session.transport.close().catch((err: unknown) => {	×
481	console.error(	×
482	`[quire-mcp] Error closing session ${sessionId.slice(0, SESSION_ID_DISPLAY_LENGTH)}:`,
483	err instanceof Error ? err.message : err	×
484	);
485	});
486	} catch {
487	// Ignore close errors during shutdown
488	}
489	}
490	sessions.clear();	×
491
492	// Give connections time to close gracefully, then force exit
493	setTimeout(() => {	×
494	console.error("[quire-mcp] Shutdown complete");	×
495	process.exit(0);	×
496	}, 5000);
497	};
498
499	// Handle termination signals
500	process.on("SIGINT", () => {	21✔
501	shutdown("SIGINT");	×
502	});
503	process.on("SIGTERM", () => {	21✔
504	shutdown("SIGTERM");	×
505	});
506	});
507	}

jacob-hartmann / quire-mcp / 21574865257

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous